Quest®
ActiveRoles™
Server
Version 6.1.0
Release Notes
October 24, 2008
Resolved Issues and Enhancements
Quest ActiveRoles Server can help you automatically provision, re-provision and de-provision users quickly, efficiently and securely in Active Directory and beyond. ActiveRoles Server provides strictly enforced role-based security, automated group management, change approval and easy-to-use Web interfaces for self service, to achieve practical user and group lifecycle management for the Windows enterprise.
The newest version, ActiveRoles Server 6.1, adds significant value: enhanced provisioning and de-provisioning policies, time-based management of group membership changes, and a rich suite of reports built upon the Microsoft SQL Server Reporting Services platform. The release also improves product performance and stability.
For information about the key new features in the latest version of ActiveRoles Server, refer to the ActiveRoles Server What's New document. Information about other new features along with instructions on how to start using new features can be found in the ActiveRoles Server Feature Guide. These documents are available from the Documentation page in the ActiveRoles Server CD Autorun window.
This section provides a list of issues that were resolved in ActiveRoles Server version 6.1.0 (as compared to version 6.0.4). Each item in the list includes an ID number, which identifies the item, and a brief description of the issue. The list is divided by component so that the items related to each individual component of the product are grouped together:
TF00028010
Fixed: The Setup program for the ActiveRoles Server ADSI Provider (setup.exe)
may not automatically install some of the required components, such as Microsoft
Core XML Services (MSXML) 6.0.
TF00035180
Fixed: The Setup program does install the ActiveRoles Server ADSI Provider as
expected when only the SDK and Resource Kit feature is selected in the
Installation Wizard.
TF00035183
Fixed: Incorrect behavior of the Administration Service Setup program in the
following scenario. You install the ActiveRoles Server SDK and Resource Kit
feature only, without installing Administration Service. Then, you run the
Installation Wizard again, and choose to install Administration Service in
addition to SQK and Resource Kit. In this scenario, the Setup program may fail
to install Administration Service.
TF00035611
Fixed: On a Windows Server 2008 based computer, the Web Interface Setup program
may take longer than expected to start the Installation Wizard.
TF00036317
Fixed: When installing the ActiveRoles Server ADSI Provider on a system without
Microsoft .NET Framework 2.0 or later, the Setup program may display a message
stating that .NET Framework 2.0 or later is required. Actually, the ActiveRoles
Server ADSI Provider does not require .NET Framework.
TF00036994
Fixed: The Setup program for some of the ActiveRoles Server modules may not
automatically install required system components, such as Microsoft Core XML
Services (MSXML) 6.0. The affected ActiveRoles Server modules include Import
Tool, Collector, Management Shell for Active Directory, SPML Provider.
TF00037568
Fixed: Language resources for some of the ActiveRoles Server ADSI Provider
components are missing from the 64-bit version of the ActiveRoles Server
Language Pack.
TF00038038
Fixed: An upgrade of the ActiveRoles Server Language Pack does not update the
language resources for the ActiveRoles Server ADSI Provider.
TF00038283
Fixed: The ActiveRoles Server Administration Service installation package and
binary files do not have an Authenticode signature.
TF00048375
Fixed: In an ActiveRoles Server environment that uses a separate database to
store Management History data, upgrading the Administration Service or
installing a patch for the Administration Service may restore the default
Management History database connection parameters, so the upgraded
Administration Service is unable connect to the appropriate Management History
database.
TF00051575
Fixed: The Administration Service, MMC Interface, and Web Interface executable
files do not contain a UAC manifest that specifies the desired run level, and
thus do not meet the requirements of the Windows Server 2008 certification
program.
TF00051576
Fixed: When installing the Administration Service, the Setup program does not
check whether SQL Server selected to host the Administration Service
configuration database is in case-sensitive mode. As a result, if SQL Server
uses case-sensitive collation, the database created by the Setup program is
inoperative.
TF00053917
Fixed: ActiveRoles Server installation (MSI) packages receives some errors in
the Internal Consistency Evaluators (ICEs) when validated to meet the
requirements of the Windows Server 2008 Certification Program.
TF00053938
Fixed: The ActiveRoles Server installation packages do not include the
MsiRMFilesInUse dialog required by the Windows Server 2008 certification
program.
TF00011972
Fixed: The Move Mailbox task is missing from the Exchange Task Wizard if the
wizard is invoked on a selection of multiple mailbox-enabled user accounts in
the ActiveRoles Server console. This issue is due to incorrect behavior of the
Administration Service.
TF00018328
Fixed: The Administration Service may fail to synchronize permission settings
from ActiveRoles Server to Active Directory in the following scenario. You link
an Access Template to a container, such as an Organizational Unit or a Manager
Unit, so that the permission settings defined by the Access Template are applied
to the objects in that container but not to the container itself (the option
"Apply permissions onto this directory object" is un-selected, the option "Apply
permissions onto child objects of this directory object" is selected). In this
scenario, the "Propagate permissions to Active Directory" option may not work as
expected. The Administration Service may fail to create ACEs in Active Directory
in accord with the Access Template link in question.
TF00018490
Fixed: The Administration Service may incorrectly generate the legacyExchangeDN
attribute on a user or group object if the name of an Administrative Group in
the Exchange Organization or the name of the Exchange Organization contains a 'cn'
substring. In this condition, ActiveRoles Server fails to configure the
Administrative Group setting on a user or group when performing the Create
Mailbox or Establish E-mail Address task.
TF00018502
Fixed: A database access error on SQL Server may cause the Administration
Service to stop unexpectedly.
TF00019192
Fixed: The Administration Service does not allow the Home Folder attribute on a
user account to be populated with a path to a non-existent network folder.
TF00022476
Fixed: When creating a new user account by copying an existing mailbox-enabled
user account, with the option not to create a mailbox for the newly created
account, the Administration Service may populate some Exchange-related
attributes on the new user account. The expected behavior is that no
Exchange-related attributes are populated since mailbox creation is not
requested.
TF00026389
Fixed: Script-based policies that use the DirObj object in the onPostMove or
onPostRename handlers may not function as expected.
TF00026459
Fixed: Some of the permissions delegated in ActiveRoles Server cannot be
propagated (synchronized) to Active Directory. For example, this is the case
with the permissions defined by the "Domains - Generate Resultant Set of Policy
(Planning)" Access Template.
TF00026519
Fixed: The Administration Service may incorrectly process certain complex search
requests, which may cause incorrect search results in ActiveRoles Server add-on
modules such as Quick Connect.
TF00027910
Fixed: The Administration Service may incorrectly process a search request if
the underlying data source is unavailable (for example, the LDAP connection to
the domain controller is broken). Instead of aborting the request, the
Administration Service may continue to poll the data source waiting for a
response that would indicate that there are no more search results.
TF00028048
Fixed: The Administration Service may fail to add an object to a domain local
group if the object and the group are from different forests (domain of the
object and domain of the group are registered with ActiveRoles Server and
required trust relationships between domains are in place).
TF00028118
Fixed: When generating a value for the Alias (mailNickName) property on a group
object, the Administration Service allows the value to contain space characters.
The expected behavior is that the space characters, if any, are automatically
removed from the generated Alias value.
TF00035108
Fixed: If you install the Administration Service with the option to use the
existing configuration database of a later version (for example, the
Administration Service 6.0.3 that uses the database of version 6.0.4), then you
cannot upgrade your installation to the latest version with the option to use
the existing database. The upgrade process causes an error condition on SQL
Server.
TF00035159
Fixed: When processing a Deprovision request in special (preview) mode, the
Administration Service may not record information about that request to the
Management History data store. As a result, add-on applications that use preview
mode (such as ActiveRoles Quick Connect), may fail to display information about
the expected results of the Deprovision operation.
TF00035211
Fixed: With an approval rule configured so that an application, such as Quick
Connect, is designated as the initiator of operations that require approval, the
Administration Service may fail to generate approval tasks based that rule.
TF00035254
Fixed: Upon an attempt to set a blank password on an AD LDS user object, the
Administration Service may return an error. The error message reads "Index was
outside the bounds of the array."
TF00035295
Fixed: An ActiveRoles Server policy for generating the Name (cn) property may
not work as expected during the Rename operation on a user account: The
Administration Service may fail to update the Full Name on a user account in
accord with the policy, thus causing a policy violation condition.
TF00035522
Fixed: The ActiveRoles Server database scripts contain non-optimized code. As a
result, upgrading the Administration Service with the option to use the existing
database may take longer than expected.
TF00035533
Fixed: When updating a Dynamic Group, the Administration Service may create
nested groups even though the Dynamic Groups policy option to create nested
group is un-selected. This issue may also cause transient noncompliance of
Dynamic Group membership lists with the membership rules that are in effect.
TF00035823
Fixed: Excessive consumption of system resources by the Administration Service
upon execution of the Change Tracking Cleanup task that removes obsolete
Management History data.
TF00035843
Fixed: When you set up the 'Mail Configuration' for ActiveRoles Server and
choose the option 'This server requires authentication', the password is stored
in an attribute as plain text. The information is also visible in the EDM Server
log.
TF00036177
Fixed: The Administration Service may incorrectly process a Property Generation
and Validation policy rule if the rule contains an attribute value with a "{"or
"%" character. For example, upon object creation, it may fail to apply an object
name containing such characters in accord with the policy rule. In this case, it
fails to create the object, returning the "Failed to parse the policy rule"
error.
TF00036310
Fixed: When configuring an Exchange Mailbox Deprovisioning policy, ActiveRoles
Server makes it possible to select both the option to hide the mailbox from GAL
and the option to give certain users or groups access to the mailbox. In the
default configuration, both are selected. In fact, these options are mutually
exclusive.
TF00036827
Fixed: With a Home Folder AutoProvisioning policy configured to enforce home
folder path and name, the Administration Service may fail to apply a home folder
setting on a user account, returning a policy violation error, if the setting
contains the %USERNAME% variable typed in uppercase.
TF00036839
Fixed: With the "Enforce this home folder setting in Active Directory" option
enabled, a Home Folder AutoProvisioning policy does not validate the homeDrive
setting as expected: If a policy is configured to connect the home folder to a
particular drive letter, selecting a different drive letter does not cause a
policy violation condition. The change to the drive letter is applied even
though this is not in compliance with the policy.
TF00037125
Fixed: When creating a new object by copying an existing object, the
Administration Service may not copy an attribute from the original object to the
newly created object despite the "copy" flag set on that attribute. For example,
when copying a user account, the Administration Service may not set the "City"
attribute on the newly created account.
TF00037352
Fixed: The Web Interface option to use any available Administration Service from
the ActiveRoles Server replication group may not work as expected. If the Web
Interface and the Publisher Administration Service are installed on the same
computer and the Publisher Administration Service is stopped, then the Web
Interface is unable to connect to any other Administration Service, returning
the following error: "The ActiveRoles Administration Service is not available."
TF00037489
Fixed: In an Exchange Server 2007 organization, the Administration Service may
fail to perform certain Exchange tasks, such as Establish E-mail Addresses.
TF00037531
Fixed: The AD LDS Proxy object class is missing from the list of object classes
on which ActiveRoles Server performs change tracking. As a result, the Change
History command is not displayed on AD LDS Proxy objects.
TF00037537
Fixed: When processing a request for a Move operation that specifies the same
source and destination, the Administration Service erroneously adds a record to
the change tracking log indicating that an object was moved. Eventually, the
record appears in the Change History or User Activity report and identifies the
same container in the "Object was moved from" and "Object was moved to" fields.
The expected behavior is that the Administration Service logs no change tracking
records in this scenario.
TF00037567
Fixed: An error condition upon processing of a Deprovision request may cause a
memory leak in the Administration Service. This may also cause the
Administration Service to generate a crash dump file.
TF00037727
Fixed: The DGUpgrade6x.vbs script may fail to upgrade Dynamic Groups in the
following scenario: The Administration Service was upgraded to version 5.2 from
an earlier version, and then upgraded from version 5.2 to version 6.x.
TF00037973
Fixed: If ActiveRoles Server is configured so that multiple Administration
Service instances share a common database participating in ActiveRoles Server
replication, then the connection point information published by ActiveRoles
Server in Active Directory may provide an incomplete list of the Administration
Service instances deployed within the ActiveRoles Server replication group.
TF00037983
Fixed: The DGUpgrade6x.vbs script, which is used to upgrade the Dynamic Groups
that were created by an earlier version of ActiveRoles Server, may have no
effect on the groups located in a particular organizational unit if the name of
the organizational unit contains non-alphanumeric characters. As a result, those
groups are not identified as Dynamic Groups after an upgrade of the
Administration Service.
TF00038028
Fixed: Stopping the Administration Service when it is busy processing requests
may cause a diagnostic memory dump file to be generated or an error message box
to appear.
TF00038042
Fixed: An error may occur in the Administration Service upon an attempt to set
the edsvaExchangeProperties attribute on the Configuration/Server Configuration
object. The error message is "Object reference not set to an instance of an
object."
TF00038088
Fixed: Incorrect behavior of the change approval engine after an upgrade of the
Administration Service when multiple instances of the Administration Service
synchronize their configuration data using ActiveRoles Server replication: A
change approval task created on the Publisher and then completed using the Web
Interface connected to a Subscriber remains in the "Pending tasks" list and does
not appear in the "Completed tasks" list.
TF00038303
Fixed: The Administration Service may fail to retrieve print jobs from a print
queue, returning the following error: "The data area passed to a system call is
too small." You may encounter this problem when managing a print queue in the
computer management section of the Web Interface.
TF00038428
Fixed: In an Exchange Server 2007 organization, the Administration Service may
fail to perform the Establish E-mail Addresses task on a contact object.
TF00038571
Fixed: In an Exchange organization, the Administration Service may fail to
perform the Delete Email Addresses task on an inetOrgPerson object.
TF00038592
Fixed: Outdated version of the dbghelp.dll file that ships with ActiveRoles
Server. The file has a Quest Software rather than Microsoft digital signature.
TF00038606
Fixed: In an Exchange organization where Exchange Server 2007 is configured to
coexist with Exchange Server 2003 or Exchange 2000 Server, the Administration
Service may not provide a complete list of expansion servers to the clients.
Thus, in the Properties dialog box for a mail-enabled group in the ActiveRoles
Server console, some servers may be missing from the "Expansion server" list on
the Exchange Advanced tab.
TF00038949
Fixed: The Administration Service executable file (arssvc.exe) does not contain
a UAC manifest that specifies the desired run level, and thus it does not meet
the requirements of the Windows Server 2008 certification program.
TF00039461
Fixed: Under a heavy load, the Administration Service may create a large number
(100+) of open (active) connections to the SQL Server instance that hosts the
ActiveRoles Server database, as a result of which it may consume an excessive
amount of system resources (such as memory or CPU time). This issue can cause
the Administration Service to respond slowly or, in the worst cases, to stop
unexpectedly.
TF00039479
Fixed: With multiple Administration Service instances that synchronize
configuration data using replication and permission settings defined at the
Managed Unit level, ActiveRoles Server may incorrectly process permissions
delegation. As a result, some of the delegated permissions may have no effect.
TF00039534
Fixed: The Administration Service raises an error on initiating an operation
that requires approval if a script function for designating approvers returns a
Distinguished Name (DN) containing a backslash character (\).
TF00039737
Fixed: After performing a search request, the Administration Service may not
properly update its performance counter information. Specifically, this issue
affects the "AR Server:Requests" performance object.
TF00039748
Fixed: When setting or resetting the password for an AD LDS user object, the
Administration Service may encounter an error if the password to set contains
non-Latin characters. The error message is "Value was either too large or too
small for an unsigned byte."
TF00039816
Fixed: The ActiveRoles Server Administration Service may stop responding after
an attempt to retrieve information about available domain controllers in a
managed domain.
TF00040168
Fixed: Incorrect behavior of the Change History function when you create a new
user account by copying an existing user account: As expected, the new account
is added to every group in which the original account is a direct member, but
the Change History reports on those groups indicate that the Add to Group
operation is performed by Internal Connection instead of identifying the user
who actually performed the Copy operation.
TF00040430
Fixed: After changing DirSync server, the Administration Service may stop
responding, so restart of the Administration Service is required.
For every managed domain, the Administration Service chooses a certain domain
controller (referred to as DirSync server) to track changes to directory data
using the directory synchronization (DirSync) function provided by Active
Directory. On a scheduled basis, the Administration Service validates the domain
controller that is currently selected to hold the role of DirSync server, and,
depending on the validity check results, may select a different domain
controller. A different domain controller can also be selected by an
administrator using the ActiveRoles Server console. In either case, selecting a
different domain controller to hold the role of DirSync server may cause the
Administration Service to stop responding.
TF00040545
Fixed: The 64-bit version of the Administration Service is unable to perform the
Move Mailbox task on Exchange Server of version earlier than Exchange Server
2007 since Exchange System Management Tools cannot run on 64-bit editions of
Windows Server. To address the problem, the Administration Service now uses
Exchange 2007 Management Tools for this task.
TF00040629
Fixed: When processing a request to set the edsaAccountLockedOut attribute to 0
(unlock a user account that is locked out), the Administration Service records
an incorrect value of that attribute in the Management History data store.
TF00041408
Fixed: When building a list of network shares (shared folders) the
Administration Service may consume an excessive amount of memory (memory leak),
respond slowly or, in the worst cases, stop unexpectedly. Another symptom of
this issue is that the Administration Service may return an incomplete list of
network shares to the client. This issue may occur upon home share
deprovisioning, or during a management operation on network shares performed by
the Administration Service upon request from the Web Interface or ADSI Provider.
TF00042077
Fixed: For every deprovisioned user, the Administration Service creates two
identical records in the EDM Server event log (rather than a single record),
indicating that the user account has been deprovisioned. As a result, reports on
deprovisioning results contain duplicate entries.
TF00047863
Fixed: Incorrect behavior of the Set Data option in the Policy Check results
information for a Home Folder AutoProvisioning policy on a user account: The
Administration Service may not properly apply the Set Data option to configure
the home folder setting on the account in accord with the policy that is in
effect.
TF00050847
Fixed: Incorrect behavior of the permission synchronization process in the
following scenario: An Access Template is applied to the Active Directory node
to configure permission settings on the Configuration container in Active
Directory. If any child domain is registered with ActiveRoles Server (managed
domain) so that an override account is used to access the domain and the
override account has insufficient rights on the Configuration container, then
the Administration Service may fail to synchronize permission settings from
ActiveRoles Server to Active Directory, reporting the "Access is denied" error
in the EDM Server log in Event Viewer.
TF00050849
Fixed: If a user account is deprovisioned and then restored (un-deprovisioned)
by clearing the edsaDeprovisionStatus attribute, the Administration Service may
not restore membership of the account in Managed Units or Dynamic Groups.
TF00051083
Fixed: The point-and-click customization facilities in the Web Interface cannot
be used to move the entries for user account options such as "User must change
password at next logon" or "Password expires" from the Account tab to a
different tab on the General Properties page for user objects. After you remove
those entries from the Account tab, you cannot select them to add to another tab
because they are missing from the list of available entries.
TF00051086
Fixed: When performing a search, the Administration Service may return the
edsaMember attribute even though the attribute is not set. In this scenario, an
attempt to retrieve the value of the edsaMember attribute may cause an error.
TF00051559
Fixed: When the Deprovision operation is performed on a user account that is
explicitly included in a Dynamic Group, it may take longer than expected for the
Administration Service to remove the deprovisioned account from the Dynamic
Group.
TF00051910
Fixed: The Administration Service may fail to create a printer (printQueue)
object in Active Directory, returning the following error message: "The data
area passed to a system call is too small."
TF00051914
Fixed: The Administration Service may not return the value of the
edsaDomainNetbiosName attribute to a client script that uses the ADSI_FAST_BIND
option when binding to an object via the ActiveRoles Server ADSI Provider.
TF00052418
Fixed: The Administration Service returns a non-descriptive error message (MAPI
error: MAPI_E_FAILONEPROVIDER) upon an attempt to move a mailbox to a mailbox
store that is dismounted on Exchange Server.
TF00052420
Fixed: When establishing an e-mail address for a group, the Administration
Service generates the Display Name for the group based on the Alias property
instead of the pre-Windows 2000 name.
TF00052422
Fixed: When deprovisioning a user account, the Administration Service may not
remove the account from groups created and controlled by Group Family whereas
the report on deprovisioning results states that the account is removed from
those groups.
TF00052430
Fixed: When a client application such as the Web Interface requests access a
computer that is unavailable on the network (for example, upon an attempt to
open the Web Interface pages for managing Windows services on a particular
computer), the Administration Service does not return an error message to the
client application that would describe the error condition.
TF00052443
Fixed: The Administration Service may fail to add a managed domain, returning
the following SQL Server error: "The newsequentialid() built-in function can
only be used in a DEFAULT expression for a column of type 'uniqueidentifier' in
a CREATE TABLE or ALTER TABLE statement. It cannot be combined with other
operators to form a complex scalar expression."
TF00052881
Fixed: When converting a group to a Dynamic Group, the Administration Service
may fail to populate the membership list of the group in accord with the
membership rules that are in effect.
TF00052884
Fixed: In an environment where SQL Server 2005 hosts the ActiveRoles Server
databases and ActiveRoles Server replication is used to synchronize
configuration data between Administration Service instances, the Administration
Service may run a scheduled task more frequently than expected.
TF00052885
Fixed: With ActiveRoles Server approval rules configured so that object creation
requires approval, the Administration Service may not apply the approval rules
as expected when a new object (such as a user or group) is created by copying an
existing object. As a result, the object is created without submitting the
creation request for approval.
TF00052888
Fixed: When performing a task of deleting deprovisioned user accounts, the
Administration Service may fail to delete an account if the respective user
object contains other objects (has child objects) in the directory.
TF00053887
Fixed: The Administration Service may not clean up obsolete Attestation Review
data, which can cause excessive growth in size of the Management History data
store.
TF00054620
Fixed: A Policy Object created by copying the "Built-in Policy - Default
Deprovisioning" Policy Object may not function as expected: The report on
deprovisioning results based on that Policy Object may indicate errors on
certain steps of the deprovision operation.
TF00054847
Fixed: With a large volume of Management History data stored in the ActiveRoles
Server database (500,000+ records, about 8 GB), the Administration Service may
fail to configure its database server as the Publisher for ActiveRoles Server
replication. The Promote operation fails, with SQL Server returning the
following action message from the Snapshot Agent: "Timeout expired. The timeout
period elapsed prior to completion of the operation or the server is not
responding."
TF00054851
Fixed: When the Administration Service is busy performing a resource-intensive
task (for example, adding a large number of users to groups), it may fail to
process a request from a client such as the Web Interface. In this case, the
client receives the following error message from the Administration Service:
"Timeout expired. The timeout period elapsed prior to completion of the
operation or the server is not responding." An event with the same message in
the event description is also recorded to the EDM Server event log.
TF00055235
Fixed: A provisioning policy in ActiveRoles Server may fire upon modification of
an object in the directory while the policy is only expected to take effect upon
object creation. The problem occurs if the policy is configured to carry out a
provisioning action based on the value of a naming attribute, such as CN or
name.
TF00055480
Fixed: Upon an attempt to establish an e-mail address for a global or domain
local group in an Exchange Server 2007 organization, the Administration Service
may not return the appropriate error message to the calling client application
informing of the fact that only universal groups can be mail-enabled.
TF00055487
Fixed: The Administration Service may reject a request to modify an attribute
such as cn, ou, or dc on a particular object type even though the attribute is
not designated as a naming attribute for that object type in the directory
schema. As a result, ActiveRoles Server may fail to modify the cn, ou, or dc
attribute on an AD LDS user or proxy object.
TF00037021
Fixed: The ActiveRoles Server console may display an incorrect information
message when applying the Stop command to a running instance of Attestation
Review. The message prompts you to wait while Attestation Review is being
started.
TF00037478
Fixed: In the German-language version of the ActiveRoles Server console, the
column headings are not translated into German in the list of objects held in
the "Configuration/Server Configuration/Client Sessions" container.
TF00037836
Fixed: Incorrect behavior of the Profile tab in the Properties dialog box for a
selection of multiple user accounts in the ActiveRoles Server console: The
console may fail to apply changes made to the "Logon script" or "Profile path"
setting on the Profile tab because of an improper check for the "Home folder"
setting. The console may not apply the changes, returning "The specified path is
not valid" error message, or it may clear the existing "Home folder" setting.
TF00038286
Fixed: When you open pages for managing approval rules or attestation review
configurations in the ActiveRoles Server console, the pages may take longer than
usual to open.
TF00038616
Fixed: On a system with no default e-mail client application specified, the
ActiveRoles Server console does not inform of that problem condition upon an
attempt to send out operation results (such as Deprovisioning Results or
Attestation Review Results) via e-mail. Clicking the respective menu item or
toolbar button in the console window simply has no effect.
TF00040639
Fixed: The ActiveRoles Server console may provide inaccurate information about
account lockout and password policy settings on a user account: When you open
the Properties dialog box and click "Account Policies" on the "Additional
Account Info" tab, the console may show incorrect settings for:
- Account lockout duration
- Reset account lockout counter after
- Maximum password age
- Minimum password age
TF00041487
Fixed: On a Windows Vista or Windows Server 2008 based computer, the ActiveRoles
Server console may not display the icons identifying object type in the console
tree or details pane.
TF00041683
Fixed: In certain rare conditions, the Check Names function may not work as
expected in the Select Objects dialog box in the ActiveRoles Server console.
TF00045841
Fixed: When you modify properties of a Mail Configuration object in the
ActiveRoles Server console by un-selecting "This server requires authentication"
option, the console may fail to save your changes. The option remains selected.
TF00045982
Fixed: Inappropriate color of the heading text on the Approval Rule
Configuration and Attestation Review Configuration pages in the ActiveRoles
Server console.
TF00047962
Fixed: A typo in the information message box that the ActiveRoles Server console
displays when performing the "Disable Account" or "Enable Account" command on a
selection of multiple accounts.
TF00048755
Fixed: Incorrect behavior of the Delete Objects dialog box in the following
scenario. You select multiple user accounts in the ActiveRoles Server console,
and run the Delete command on that selection. In the Delete Objects dialog box,
you click the No button for a certain account, and then click the Deprovision
button. In this scenario, all the selected accounts are deprovisioned. The
expected behavior is that the account on which you have clicked No is unaffected
by the Deprovision operation.
TF00048848
Fixed: Retrieval of the user deprovision status information negatively affects
search performance in the ActiveRoles Server console when searching a Managed
Unit for user accounts.
TF00049460
Fixed: The ActiveRoles Server console may incorrectly apply changes to the
e-mail address on a contact or user object that has an SMTP e-mail address set
on the Exchange General tab in the Properties dialog box. When you modify the
SMTP e-mail address on that tab and save your changes, the SMTP suffix is added
to the e-mail address (which you can see on the General tab).
TF00049560
Fixed: The 64-bit version of the ActiveRoles Server console may fail to save
changes to the list of groups for a Group Membership AutoProvisioning policy.
When you modify the policy by adding a group to the list and apply your changes,
the console displays an error message stating that the list of groups cannot be
empty.
TF00049768
Fixed: The ActiveRoles Server console may fail to apply changes to user accounts
in the following scenario. You select multiple user accounts that have the Home
Folder attribute set, and open the Properties dialog box for your selection.
Then, on the Profile tab in the Properties dialog box, you make changes to the
"Logon script" field and click Apply or OK. In this scenario, you may receive an
error message stating that the specified path is not valid.
TF00050854
When performing the Create Mailbox task, the Exchange Task Wizard in the
ActiveRoles Server console may fail to configure an e-mail alias in accord with
an E-mail Alias Generation policy rule if the rule contains uniqueness number,
such as %<givenName>%<middleName>%2<sn>{@counter(optional)}
TF00050855
Fixed: The Select Objects dialog box in the ActiveRoles Server console may fail
to perform a wildcard-based search: When you type in an object name pattern
containing a wildcard character (for example, admin*) and click Check Names or
press ENTER, the console may fail to list the objects that match the pattern
specified.
TF00050865
Fixed: The 64-bit version of the ActiveRoles Server console may fail to delete
multiple objects at a time: The Delete command may have no effect on a selection
of two or more objects.
TF00051071
Fixed: The list of country names and country codes in the ActiveRoles Server
console contains some entries that do not comply with the respective ISO
standard.
TF00051072
Fixed: The ActiveRoles Server console may fail to create a computer object in
Active Directory is the name of the object contains a non-alphanumeric
character, such as an underscore (_).
TF00051372
Fixed: If desktop is configured with the "Large size (120 DPI)" display option,
some user interface elements are not displayed on the Attestation Review
Configuration pages in the ActiveRoles Server console.
TF00051909
Fixed: Incorrect behavior of the Exchange Task Wizard in the ActiveRoles Server
console when you choose the Create Mailbox task, click Next, then click Back and
choose the Delete Mailbox task. In this scenario, the wizard may attempt to
perform the Create Mailbox rather than Delete Mailbox task.
TF00051911
Fixed: The Exchange Task Wizard in the ActiveRoles Server console may fail to
perform the Establish an E-mail Address task on a selection of multiple groups.
The appropriate Alias value is generated for each group but the Next button is
unavailable (grayed out) on the Establish an E-mail Address page in the wizard.
TF00052925
Fixed: The Exchange Task Wizard in the ActiveRoles Server console does not
display an error message as expected when you attempt to perform the Establish
an E-mail Address task on a global or domain local group in an Exchange Server
2007 organization.
TF00052926
Fixed: Incorrect behavior of the Exchange Task Wizard on a selection of multiple
user accounts in the ActiveRoles Server console: The Create Mailbox task may
generate an e-mail alias that does not match the user name for one or more of
the selected accounts.
TF00053875
Fixed: Incorrect behavior of the Properties dialog box on a user account in the
ActiveRoles Server console when the dialog box is opened from a Policy Check
Results page that informs of a policy violation for the Home Drive attribute on
the account: The Home Drive and Home Folder settings are cleared in the
Properties dialog box that appears when you click Edit on that page to change
the Home Drive attribute value.
TF00053876
Fixed: Incorrect shortcut key (Alt+F instead of Alt+I) is assigned to the Find
Now button in the Find window in the ActiveRoles Server console.
TF00053877
Fixed: The ActiveRoles Server console may not refresh the list of objects held
in a Managed Unit after performing the Move operation on those objects. As a
result, the moved objects are displayed as if they were in the location from
which they have been removed, so clicking such an object causes an error in the
console.
TF00053879
Fixed: In the Administrative Template for the ActiveRoles Server console, the
"Set default view mode" policy option may not function as expected.
TF00053881
Fixed: A typo in the heading text on the Approval Rule Configuration pages in
the ActiveRoles Server console.
TF00054202
Fixed: Incorrect behavior of the window that displays a report about Attestation
Review results in the ActiveRoles Server console: After you e-mail the report,
the report window is hidden behind the main console window.
TF00054833
Fixed: Incorrect behavior of the Refresh function in Change History or User
Activity window, in the ActiveRoles Server console: When you click Refresh, the
window may not display a link to additional pages containing list entries that
do not fit in the current view.
TF00054866
Fixed: The completion page in the Exchange Task Wizard in the ActiveRoles Server
console incorrectly indicates the operation status in the following scenario. An
approval rule is in effect that requires approval for certain Exchange tasks.
Once such a task has been performed, the wizard states that the operation is
completed successfully instead of informing that the operation is submitted for
approval.
TF00055452
Fixed: Incorrect display of the Deprovisioning Results list in an environment
where ActiveRoles Server approval rules are configured so that the Deprovision
operation requires approval. Under this condition, the ActiveRoles Server
console may display an empty list in the Deprovisioning Results window.
TF00055455
Fixed: With ActiveRoles Server approval rules configured so that certain
operations require approval, the ActiveRoles Server console may not display an
appropriate message informing of that condition when such an operation is
requested.
TF00055458
Fixed: On a computer where no e-mail client is installed or an e-mail client is
not configured properly, the ActiveRoles Server console does not inform of that
problem condition upon an attempt to configure e-mail notification policy
settings or send out operation results (such as Deprovisioning Results) via
e-mail.
TF00055462
Fixed: When building the membership list for a large group (5,000+ members), the
ActiveRoles Server console may stop responding (hang). This problem may occur
when you open the Members tab in the Properties dialog box for such a group and
then select a different tab (for example, Member Of) in that dialog box.
TF00055465
Fixed: When building the membership list for a large group (5,000+ members), the
ActiveRoles Server console may stop responding (hang). This problem may occur
when you open the Members tab in the Properties dialog box for such a group, add
members to the list, and then click OK or Apply in that dialog box.
TF00017539
Fixed: With an approval rule configured so that setting a certain attribute of
Boolean type to TRUE (selecting the respective check box) requires approval, the
Web Interface may display a message stating that the operation is submitted for
approval when you set the attribute to FALSE (clear the check box and save the
changes) although an approval request is not actually created in this case.
TF00018385
Fixed: The objFormContext.Object.Get(strPropertyName) method in a custom entry
may return a data type other than expected.
TF00018803
Fixed: Incorrect default command on the "AD LDS (ADAM)" node in the Web
Interface tree view: When you click that node, the Web Interface displays a
Properties page instead of the contents of the "AD LDS (ADAM)" container.
TF00018937
Fixed: Inaccurate naming of the files in which the 64-bit version of the
ActiveRoles Server ADSI Provider stores the schema cache data: The files have
the ".32.ars" file name extension instead of ".64b.ars".
TF00022822
Fixed: The RootDSE::GetInfoEx method in the ActiveRoles Server ADSI Provider may
return no descriptive error message upon an attempt to retrieve data from the
Administration Service of an earlier version. Only error code is returned when
the ADSI Provider version 6.0 attempts to execute that method on the
Administration Service version 5.x. The expected behavior is that the ADSI
Provider returns an error message indicating software version mismatch in this
case.
TF00022917
Fixed: Incorrect behavior of the Web Interface page for creating a file share:
Clicking the Browse button displays an empty dialog box, so you cannot select
the desired folder and have to type in the path to that folder.
TF00026322
Fixed: When creating a user account, the Web Interface may fail to populate the
User Logon Name (edsaUPNPrefix) attribute on the newly created account in
compliance with a Property Generation and Validation policy that is in effect.
TF00026329
Fixed: With ActiveRoles Server security settings configured to allow full access
to a managed domain and deny access to the Builtin container in that domain, the
Web Interface does not allow access to Exchange properties on mailbox-enabled
user accounts, returning the "Access is denied" error message.
TF00026377
Fixed: The Web Interface may incorrectly process a script-based policy that
generates the edsaUPNPrefix user attribute upon creation of a user account. If a
data input error occurred and then corrected in the course of user account
creation, the Web Interface may not set the appropriate value for the
edsaUPNPrefix attribute on the user account being created.
TF00026388
Fixed: Access Template related reports produced by the ActiveRoles Server
reporting solution may contain incorrect information about Access Template
permission entries for extended rights or validated writes. Such a report may
state that a particular permission entry represents all extended rights or all
validated writes whereas the entry is actually a specific extended right or
validated write.
TF00026435
Fixed: The lists of objects in the Web Interface can display at most 100 items
per page. Configuring the Web Interface to display more than 100 objects per
page has no effect: when you specify a larger value for the "Number of objects
to display per page" setting and save your changes, the setting reverts to 100.
TF00026489
Fixed: If the ActiveRoles Server Language Pack for the Web Interface is
installed, the "User interface language" filed on the Settings page in the Web
Interface may display a language setting other than the language that is
actually set. Thus, when you select the English language, save your language
preference, and then close and re-open the Settings page, a language other than
English may be indicated.
TF00026496
Fixed: The Settings menu item is missing from the Navigation Bar in the Web
Interface for Self-Service.
TF00027888
Fixed: A blank, superfluous tab may appear in the left hand area on a Web
Interface page, in addition to the TREE and MENU tabs.
TF00027965
Fixed: Some pages for Group Policy management remain in the Web Interface
although the ActiveRoles Server license that is in effect does no allow the use
of the Group Policy management feature.
TF00028071
Fixed: Incorrect appearance of the Save, Cancel, and Policy Information buttons
on Web Interface pages.
TF00028088
Fixed: Incorrect behavior of the filter function on a list of objects in the
ActiveRoles Server Web Interface: An asterisk wildcard character (*) does not
work as expected. For example, when you enter *computer* in the Description
field on the filter bar, the Web Interface fails to list the objects whose
description contains the word "computer."
TF00028150
Fixed: By default, the list of groups on the "Member Of" page in the Web
Interface is not sorted. The expected behavior is that the list is sorted by
group name.
TF00035176
Fixed: The "How Do I" information is missing from the New Printer page in the
Web Interface.
TF00035754
Fixed: When you delete all cookies in your Web browser and then open a Web
Interface page that contains a splitter control (for example, the page that
lists managed domains), the splitter may randomly move between the borders of
the screen.
TF00035761
Fixed: The "Server" or "Mailbox store" drop-down list on the Web Interface pages
for Exchange mailbox management (such as the pages for creating a
mailbox-enabled user account) may not display the entire name of a server or
store. Long names may appear truncated on the list.
TF00035885
Fixed: When using the computer management pages in the Web Interface to stop a
Windows service, you may encounter the following error: "Unable to cast object
of type 'System.String' to type 'System.Object[]'."
TF00036142
Fixed: Running the "Save to file" command in the Web Interface may open a new,
empty window in the Web browser.
TF00036144
Fixed: Clicking the Save button on a page in the Customization section of the
Web Interface may cause an error. The error message is "Object reference not set
to an instance of an object."
TF00036155
Fixed: The entry for an attribute on a Web Interface page is read-only
(grayed-out) if the LDAP display name of the attribute contains a hyphen
character (for example, edsva-Sec-Admin).
TF00036172
Fixed: In the dialog box for selecting objects in the Web Interface, when you
type in an object name and press ENTER, the search for the object does not start
as expected. You have to click the Search button.
TF00036243
Fixed: Incorrect behavior of the Properties page for a form in the Customization
section of the Web Interface: When you clear or select the "Show policy
descriptions" check box on the General tab of that page and apply your changes,
the Web Interface may lose the "Object type" setting on the form you are
customizing.
TF00036252
Fixed: Incorrect position of the splitter (too close to the left border of the
screen) on the Search page in the Web Interface. If you move the splitter, the
new position is not retained when you refresh the page.
TF00036311
Fixed: In the Customization section of the Web Interface, when you add a tab to
a form, save and apply your changes, and then delete that tab, the Form Editor
may fail to display the contents of the remaining tabs, presenting you with the
following message: "No tabs created. To create a tab, press New Tab on the
toolbar."
TF00036315
Fixed: When using the Form Editor to customize a form, in the Customization
section of the Web Interface, you may encounter the following incorrect behavior
of the Move Up and Move Down buttons on the toolbar of the Form Editor:
Selecting the check box on the topmost tab of the form does not make the Move Up
button unavailable; similarly, selecting the check box on the very lowest tab
does not disable the Move Down button as expected.
TF00036741
Fixed: When you attempt to open the My Account page in the Web Interface site
for Self-Service, you may receive a non-descriptive error message if you do not
have sufficient rights to administer your own account in ActiveRoles Server.
TF00036802
Fixed: The Web Interface may incorrectly process an Exchange Mailbox
AutoProvisioning policy that is configured to select a mailbox store by using
the round-robin method: When you use the Web Interface to create mailbox-enabled
user accounts, the same mailbox store is always selected to hold the user
mailboxes despite the policy settings.
TF00036859
Fixed: Incorrect behavior of certain text boxes on Web Interface pages: When you
type in a text, place the cursor at the beginning of the text string and then
continue typing, the cursor may unexpectedly move to the end of the string.
TF00036870
Fixed: If a policy violation condition occurs on one of the Web Interface pages
for creating an object (for example, a user account), the respective error
message is displayed on the last page. The expected behavior is that the Web
Interface informs the user of the policy violation on the page where invalid
data has been entered.
TF00036883
Fixed: When modifying object properties, the Web Interface may incorrectly apply
Property Generation and Validation policy rules that specify unacceptable
(restricted) characters: It may not distinguish between UPPERCASE and lowercase
characters. Thus, with a rule that only forbids the use of the "A" (uppercase)
character in the value of a certain property, the Web Interface may allow
neither "A" nor "a" character there.
TF00036986
Fixed: The "Reset account" command may be missing from the Web Interface menu on
a computer account although the Web Interface user has sufficient rights to
reset computer accounts by using ActiveRoles Server.
TF00036990
Fixed: When the operational domain controller that is currently selected in the
Web Interface becomes unavailable, the Web Interface displays a non-descriptive
error message upon an attempt to manage any directory object ("The RPC server is
unavailable"). The expected behavior is that the Web Interface prompts the user
to choose a different domain controller.
TF00036991
Fixed: On the pages for managing object properties in the Web Interface, text
color in multi-line text boxes may differ from text color in other fields.
TF00036993
Fixed: The icon on the Web Interface pages for managing user accounts may be
displayed incorrectly: A red X may not appear on the icon for a disabled user
account, so you are unable to determine from the icon whether the account is
disabled.
TF00036997
Fixed: When a Web Interface user without sufficient rights to move objects
between containers attempts to move an object to a different container, the Web
Interface may not display an appropriate error message to help identify the
problem.
TF00037007
Fixed: When running on IIS 7.0, the Web Interface may encounter an error upon an
attempt to execute the "View RSoP" command.
TF00037008
Fixed: The "Access is denied" error occurs in the Web Interface upon an attempt
to delete a directory object if ActiveRoles Server security is configured so
that the Web Interface user has sufficient rights to delete the object but is
not authorized to view the objectClass property on that object.
TF00037019
Fixed: Incorrect behavior of the "Terminal services user profile" entry on the
Terminal Services Properties page for a user account: The entry accepts user
input (is not read-only) even though the Web Interface user does not have
sufficient rights to modify the respective property on the user account.
TF00037020
Fixed: Incorrect behavior of the "Delegation (Send As)" tab of the Exchange
Properties page for a user account in the Web Interface: The Add and Remove
buttons on that tab are available even though the Web Interface user is only
authorized to view user accounts.
TF00037053
Fixed: A script error may occur upon an attempt to open the Approval page in the
Web Interface.
TF00037139
Fixed: On the Member Of page in the Web Interface, selecting the "Show nested
groups" check box or clicking "Set Primary Group" may cause an error. The error
message is "Cannot access a disposed object."
TF00037143
Fixed: The "Number of objects to display per page" and "Number of pages to
retrieve for object list" fields on the Global Settings page allow non-numeric
input, which causes an error upon an attempt to save the settings: "Input string
was not in a correct format."
TF00037150
Fixed: The E-mail Address dialog box in the Web Interface allows an address to
be specified without selecting an address type (such as SMTP, X.400, etc.).
TF00037242
Fixed: Incorrect behavior of the Web Interface page for creating a file share:
Clicking the Browse button displays an empty dialog box, so you cannot select
the desired folder and have to type in the path to that folder.
TF00037291
Fixed: Incorrect behavior of the Exchange Custom Attributes dialog box in the
Web Interface: The entries for Exchange custom attributes allow user input even
when the Web Interface user does not have sufficient rights to modify those
attributes using Active Roles Server.
TF00037319
Fixed: An upgrade of the Web Interface may not preserve the existing
customization of the Home page.
TF00037396
Fixed: In the Web Interface, the hypertext links on the Change History or User
Activity page may not work as expected. For example, when DN-valued attribute
(such as Managed By) is set to a new value, clicking the new value on the Change
History page may have no effect. The expected behavior is that clicking the
value opens the Properties page for the object identified by the respective
distinguished name.
TF00037484
Fixed: If a managed AD LDS instance is running on Windows Server 2008, the Web
Interface may erroneously display the "Change Operational DC" command on an AD
LSD partition hosted by that instance. The "Change Operational DC" command is
not applicable in this case, and causes the "Object reference not set to an
instance of an object" error.
TF00037493
Fixed: The "Exchange Mailbox Deprovisioning" section on the Deprovisioning
Results page in the Web Interface may not provide hypertext links on the names
of the users or groups that are given access to the user mailbox in accord with
the Exchange Mailbox Deprovisioning policy.
TF00037542
Fixed: An upgrade of the Web Interface from version 5.2 to version 6.x may fail
to transfer the names of the entries that were added on customized Web Interface
pages.
TF00037547
Fixed: An upgrade of the Web Interface from version 5.2 to version 6.x may
incorrectly transfer an auto entry for the Manager attribute: After the upgrade,
the entry may allow input of more than one value, as if the Manager attribute
were multi-valued.
TF00037562
Fixed: An upgrade of the Web Interface from version 5.2 to version 6.x may
incorrectly transfer an auto entry for the lastLogonTimestamp attribute: After
the upgrade, the Web Interface may fail to open a page containing that entry. An
attempt to open the page results in the following error: "Object reference not
set to an instance of an object."
TF00037650
Fixed: In the Select Object dialog box in the Web Interface, filtering the
search results list by Type may not work as expected: After you apply a filter,
the list may still contain some objects of a type other than that you have
specified.
TF00037673
Fixed: The Web Interface site for Help Desk does not provide the ability to
search for AD LDS objects.
TF00037804
Fixed: Clicking the Add button on the "Advanced search" page in the Approval
section of the Web Interface may cause a script error.
TF00037962
Fixed: Incorrect behavior of the ActiveRoles Server ADSI Provider in an
environment where:
- ActiveRoles Server replication is used
- Two or more instances of the Administration Service share the database on SQL
Server that holds the Published role in the ActiveRoles Server replication group
In such an environment, the "Use any available Administration Service from the
replication group" connection option may not work as expected in a script that
leverages the ADSI Provider. The ADSI Provider may fail to identify the
replication group by the name of an Administration Service instance whose
database server holds the Publisher role.
TF00037985
Fixed: Incorrect behavior of the Advanced Search page for the "Users, Groups,
and Contacts" category or the Basic Search page for the "Custom" category in the
Web Interface: When you configure a search for groups by selecting the Group
option along with a certain property of group in the Field area, the page may
apply search criteria based on a property other than the property you have
selected.
TF00038081
Fixed: The Web Interface site for Help Desk does not provide the ability to
search for AD LDS objects.
TF00038203
Fixed: Entries for DN-valued attributes (such as Manager or Managed By) do not
provide the Properties button that would open the pages for managing the
respective object in the Web Interface.
TF00038232
Fixed: Inappropriate color of certain text labels on the pages in the Approval
section of the Web Interface.
TF00038292
Fixed: With a script policy that requires a certain Boolean attribute to be set
on user accounts, the Web Interface may fail to create or modify a user account,
reporting a policy violation condition, even though a value for the required
attribute is supplied on the respective Web Interface page.
TF00038313
Fixed: An upgrade of the ActiveRoles Server Language Pack may fail to update the
non-English language resources for the ActiveRoles Server ADSI Provider.
TF00038487
Fixed: After an upgrade of the Web Interface to the latest version (for example,
from version 6.0.2 to version 6.0.4), you may encounter an error upon an attempt
to open certain pages in the Web Interface. The affected pages include the
Properties page for such objects as Organizational Unit, Computer, Domain, Group
(General Properties page) , Printer, Shared Folder. The error message is "Error:
Method Get_owner, line 6122 Set objPath =
CreateObject("Quest.ArspWI.LegacyCode.IWIADRootPathParser")'New
IWIADRootPathParser'."
TF00038497
Fixed: In the Web Interface site for Help Desk, the entry for the Distinguished
Name property is configured as multi-valued.
TF00038578
Fixed: Incorrect contents of the Properties page for a custom (non-default)
entry in the Customization section of the Web Interface: The Advanced tab is
missing, the General tab contains the fields that should be displayed on the
Advanced tab.
TF00038645
Fixed: If the Web Interface is configured to use any available Administration
Service from the ActiveRoles Server replication group, then it may not display
the links to the Customization section on the Home page.
TF00038649
Fixed: When saving changes to an object in the directory, the Web Interface may
encounter a script error. The error may occur if any changes are made to an
attribute whose LDAP display name contains a hyphen character (for example,
msRTCSIP-FederationEnabled).
TF00038786
Fixed: With multiple Web browser windows open for a single Web Interface session
(using the Ctrl+N option in Internet Explorer), the Web Interface makes it
possible to modify a group so that the group becomes a member of itself.
TF00038884
Fixed: If an ActiveRoles Server policy for generating the Name (cn) property is
in effect on a given user account, the Web Interface may fail to accomplish the
Reset Password operation on that account, returning an error message that states
a policy violation condition.
TF00038948
Fixed: An upgrade of the Web Interface may not preserve the customization of the
Home page or Navigation Bar.
TF00038960
Fixed: With a Property Generation and Validation policy being in effect that
defines a certain list of values for the mDBOverQuotaLimit attribute, the Web
Interface allows a value to be selected from the "Prohibit send at (KB)" list on
the Storage Limits tab of the Exchange Properties page for a mailbox-enabled
user account although the "Use mailbox store defaults" check box is selected on
that tab.
TF00039135
Fixed: Clicking the Exit button on the Web Interface pages for copying a user
account may cause an error.
TF00039481
Fixed: An upgrade of the Web Interface from version 5.2 to version 6.x may
incorrectly transfer the URL setting for a custom command. As a result, running
that command after the upgrade causes an error.
TF00039519
Fixed: An upgrade of the Web Interface from version 5.2 to version 6.x may fail
with the following error: "Function AeUpdateSaveVD () updatecfg FAILED."
TF00040274
Fixed: When setting the Owner of a group, on the Claim Group Owner page in the
ActiveRoles Self-Service Manager, the Web Interface may issue two identical
requests to the Administration Service. As a result, the Change History report
on the group contains duplicate records that indicate the same operation of
setting the Owner.
TF00040364
Fixed: A typo in the error message heading in the Web Interface.
TF00040424
Fixed: On the "Change Operational DC" page in the Web Interface, the list of
available domain controllers is not sorted alphabetically by server name.
TF00040705
Fixed: On the "Change Operational DC" page in the Web Interface, the list of
available domain controllers is not sorted alphabetically by server name.
TF00041420
Fixed: When performing a search in the directory, the ActiveRoles Server ADSI
Provider may consume an excessive amount of memory (memory leak). This issue may
cause an out-of-memory error condition on the system running the ADSI Provider.
TF00041480
Fixed: After you click the Refresh button in the top right corner of the
tree-view pane in the Web Interface, the Refresh (F5) command in your Web
browser may fail to update the current Web Interface page with new data. For
example, you may encounter this issue in the following scenario:
1. Open the Web Interface page that displays properties of a user account.
2. Use the ActiveRoles Server console to make changes to properties of the
user account that are displayed on the Web Interface page you have opened.
3. In the Web Interface, click the Refresh button at the top of the
tree-view pane.
After you perform these steps, the Refresh (F5) command fails to update the page
you opened in Step 1 with the changes you made in Step 2.
TF00041544
Fixed: In the Web Interface site for Self-Service (Self-Service Manager), the
Quick Search filed is not hidden as expected on the My Requests and Approval
pages.
TF00041620
Fixed: When using the Web Interface to create a new user account by copying an
existing user account, you may encounter an error if you click the Exit button.
The error message is "Directory object not found. (Exception from HRESULT:
0x8007208D)."
TF00041625
Fixed: Incorrect color of the text labels on the Add, Remove, and Set Primary
Group buttons on the Member Of page in the Web Interface. The buttons look as if
they were unavailable (disabled).
TF00041696
Fixed: A typo on the Claim Group Owner page in the Web Interface Site for
Self-Administration (ActiveRoles Server Self-Service Manager): The "Assign me to
the owner role" option reads "Assing" instead of "Assign."
TF00042193
Fixed: The Web Interface may not properly display the name of an object (for
example, an OU name) if the name contains a backslash character (\).
TF00042576
Fixed: The icon on the Web Interface pages for managing computer accounts may be
displayed incorrectly: A red X may not appear on the icon for a disabled
computer account, so you are unable to determine from the icon whether the
account is disabled.
TF00045106
Fixed: Incorrect behavior of task lists in the Approval section of the Web
Interface in an environment where multiple Administration Service instances
synchronize their configuration data using ActiveRoles Server replication and
the Web Interface is configured to use any available Administration Service:
After an approval task is completed, it may remain in the list of pending tasks
for a certain period of time.
TF00046486
Fixed: When binding to an AD LDS object, the ActiveRoles Server ADSI Provider
may fail to connect to any instance of the Administration Service other than the
local one. As a result, if the Administration Service is not running on the
computer that hosts the ADSI Provider, an attempt to bind to an AD LDS object
via the ADSI Provider may cause an error: "The ActiveRoles Administration
Service is not available on <Computer Name>" where <Computer Name> stands for
the DNS name of the computer running a script that uses the ActiveRoles Server
ADSI Provider.
TF00046548
Fixed: The "Unknown name" error occurs in the Web Interface Site for Help Desk
upon an attempt to create a new group, provided that the menu for the
Organizational Unit object class is customized to include the New Group command.
TF00047687
Fixed: When using different Web browser windows to modify different objects
within the same Web Interface session (by pressing Ctrl+N to open new windows),
you may get incorrect results after you save your changes in the Web Interface.
TF00048385
Fixed: With Web Interface pages customized to include an entry for the "o"
(Organization-Name) attribute, the Web Interface may fail to save changes to
user account properties. The problem occurs if a policy rule is in effect that
requires the "o" attribute to be set on a user account. In this scenario, an
attempt to save changes to a user account causes the following error in the Web
Interface: "The "Organization" field cannot be empty." As a result, the Web
Interface cannot save changes even though a certain value is supplied in the
"Organization" field.
TF00048595
Fixed: The My Groups page in the Web Interface site for Self-Service may display
an empty list of groups if the user account name of the Web Interface user
contains parenthesis:'(' or ')'. This may occur even though that user is set as
the Manager (Owner) of certain groups and has sufficient rights to view those
groups in ActiveRoles Server.
TF00049370
Fixed: If a form in the Web Interface is customized so that the form contains
two or more default (auto) entries for attributes of DN syntax, then the form
may fail to save the changes made using such entries.
TF00049383
Fixed: If a form in the Web Interface is customized so that the form contains
two or more default (auto) entries for multi-value attributes of DN syntax, then
the form may fail to save the changes made using such entries.
TF00049574
Fixed: Incorrect processing of controls in a bind string: When two or more
controls are specified in a bind string (for example, EDMS://CN=Configuration//Control1=Value//Control2=Value),
the ActiveRoles Server ADSI Provider considers only the first control,
disregarding the others.
TF00049911
Fixed: After an upgrade of the Web Interface, some custom commands that were
configured in the old version of the Web Interface may fail to work because the
URL settings on those commands are lost during the upgrade.
TF00050870
Fixed: With ActiveRoles Server security configured to allowed changes to some
(not all) of the Exchange Custom Attributes, the entries for all Custom
Attributes are read-only. The expected behavior is that the Web Interface
displays read-only entries for only those Custom Attributes that the Web
Interface user is not authorized to modify, allowing changes to the other Custom
Attributes.
TF00050938
Fixed: On the "Member Of" page in the Web Interface, the "Remove" and "Set
Primary Group" buttons are available (not disabled) when no groups are selected
from the list on that page.
TF00051076
Fixed: On the "Claim Group Owner" page in the Web Interface site for
Self-Service (Self-Service Manager), the Remove button is available (not
disabled) when no groups are selected from the list on that page. Clicking
Remove without selecting a group causes an irrelevant message to appear in the
list of groups.
TF00051088
Fixed: If the entry for a multi-value attribute (such as proxyAddresses or
otherTelephone) on a Web Interface page is configured with the Read Only flag
set, then saving changes made on the page may clear that attribute.
TF00051089
Fixed: When you open the Properties page for an object in the Web Interface and
use the "Click here to customize this form" link to add an entry on the page,
you may encounter a script error.
TF00051201
Fixed: With an HTTPS connection, the "Export to Microsoft Excel" command does
not function as expected in the Web Interface.
TF00051544
Fixed: On the Member Of page in the Web Interface, a tool tip does not appear as
expected when you point to the "Show nested groups" check box.
TF00051565
Fixed: The point-and-click customization facilities in the Web Interface cannot
be used to move the entries for user account options such as "User must change
password at next logon" or "Password expires" from the Account tab to a
different tab on the General Properties page for user objects. After you remove
those entries from the Account tab, you cannot select them to add to another tab
because they are missing from the list of available entries.
TF00051630
Fixed: Incorrect behavior of the "Last Logon" function on the Account tab on the
General Properties page for a user account in the Web Interface: The dialog box
that appears when you click the Last Logon button may provide incorrect
information. Thus, it may indicate "Last logon timestamp" or "Days since last
logon" as "undefined" instead of displaying the actual values.
TF00051840
Fixed: The intended settings in the Web Interface configuration XML data may
have no effect on visibility of the Quick Search box on the Web Interface pages.
TF00051927
Fixed: When you use an asterisk in the Quick Search box, the Web Interface may
not treat this as a wildcard character. Thus, when you type *strators in the
Quick Search box and start your search, the Web Interface returns an empty list
of search results whereas it is expected to find all objects that have the
strators substring at the end of the name (such as Administrators).
TF00051929
Fixed: In the My Groups section of the Web Interface Site for
Self-Administration (ActiveRoles Server Self-Service Manager), the Web Interface
may display an empty list of groups despite the fact that the Web Interface user
is authorized to view groups in ActiveRoles Server or is assigned as the Manager
for certain groups (specified in the Managed By attribute).
TF00051933
Fixed: The Web Interface may fail to cerate a mailbox-enabled user account if
the "Last name" setting is not specified on that account.
TF00052405
Fixed: Incorrect placement of object icons in the list of objects on the
"Members" or "Member Of" page in the Web Interface. The problem occurs with the
list items that contain multiple lines of text.
TF00052412
Fixed: On the pages for managing object properties, the Web Interface may fail
to update the appearance of Boolean attribute entries (select or clear check
boxes) in accord with the ActiveRoles Server policies that are in effect.
TF00052945
Fixed: An error occurs in the Web Interface upon an attempt to open the
Directory Management pages if the Web Interface user is denied access to the AD
LDS (ADAM) node in ActiveRoles Server.
TF00052950
Fixed: The "User Activity" command is available in the Web Interface even if the
Web Interface does not have the "View Change History" permission in ActiveRoles
Server.
TF00052955
Fixed: Incorrect placement of the "Policy description" icon on certain Web
Interface pages.
TF00052956
Fixed: Inaccurate policy description for the Group Type property on the pages
for managing groups in the Web Interface: The message that is displayed when you
click the "Policy description" icon next to the "Group type" entry contains
information about policy rules for the objectSID attribute.
TF00053904
Fixed: With approval rules configured so that the Copy Object operation requires
approval, the Web Interface may return an error message when copying an object:
"Administration Service encountered an error when retrieving properties of the
object '<DistinguishedName>'. Directory object not found. (Exception from
HRESULT: 0x8007208D)"
TF00053905
Fixed: The My Reviews pages in the Web Interface site for Self-Service
(Self-Service Manager) may display the start time and end time for all the
ongoing instances of Attestation Review instead of only displaying that
information about the Attestation Review instances relating to the current user.
TF00054573
Fixed: In an Exchange Server 2007 organization, the Web Interface may not
display the Mobile Services button as expected on the pages for managing
Exchange user properties.
TF00054813
Fixed: The ActiveRoles Server ADSI Provider returns an incomplete version number
to a calling application. As a result, the Client Session objects that represent
ADSI Provider connections on the Administration Service only contain the first
three digits of the ADSI Provider version number.
TF00054849
Fixed: For built-in groups, such as "Account Operators" or "Remote Desktop
Users", the My Reviews pages in the Web Interface site for Self-Service
(Self-Service Manager) may fail to display a list of group members.
TF00055486
Fixed: In the tree view pane, the Web Interface may not display the complete
name of a managed domain (for example, it may only display MyDomain. instead of
MyDomain.company.com).
TF00055493
Fixed: In the list of approval tasks, the Web Interface may incorrectly identify
certain attributes to be changed within an operation waiting for approval. Thus,
it may indicate the "X500 Distinguished Name" attribute instead of the "Members"
attribute for an operation that adds or removes members from a group.
TF00037530
Fixed: Access Template related reports produced by the ActiveRoles Server
reporting solution may contain incorrect information about Access Template
permission entries for extended rights or validated writes. Such a report may
state that a particular permission entry represents all extended rights or all
validated writes whereas the entry is actually a specific extended right or
validated write.
TF00050882
Fixed: A data collection job configured by ActiveRoles Server Collector may fail
to run on a scheduled basis. The problem occurs if the distinguished name of the
container that holds the data to collect exceeds a certain length.
TF00051583
Fixed: The Data Collector executable file (EDMCollector.exe) does not contain a
UAC manifest that specifies the desired run level, and thus it does not meet the
requirements of the Windows Server 2008 certification program.
TF00039595
Fixed: ActiveRoles Import Tool may fail to start on a 64-bit system.
TF00041347
Fixed: The ActiveRoles Import Tool executable file (ActiveRoles Import Tool.exe)
does not contain a UAC manifest that specifies the desired run level, and thus
it does not meet the requirements of the Windows Server 2008 certification
program.
TF00035395
Fixed: A time-out condition may occur in the Management History Migration Wizard
if the database to process contains a large amount of data (2+ GB). The data
migration process fails with the following error: "The timeout period elapsed
prior to completion of the operation or the server is not responding."
TF00038234
Fixed: When run on a 64-bit version of the operating system in conjunction with
the 64-bit version of the ActiveRoles Server Administration Service, the
Management History Migration Wizard may fail to perform as expected, returning
the "System.InvalidCastException: Specified cast is not valid" error when you
specify the database used by that Administration Service as the source database
and click Next.
TF00052886
Fixed: After a large volume of Management History data is transferred by using
the Management History Migration Wizard, the ActiveRoles Server features and
functions that rely on that data may become temporarily unavailable.
TF00055457
Fixed: With the Administration Service running on a 64-bit system, the
Management History Migration Wizard may fail to perform the migration of
Management History data, returning the "Specified cast is not valid" error
message.
TF00024803
Fixed: Inaccurate names of certain user interface elements in the "User Object
User Interface Mapping" topic in the ActiveRoles Server SDK and Resource Kit.
TF00024804
Fixed: Inaccurate names of certain user interface elements in the following
topics in the ActiveRoles Server SDK and Resource Kit:
- Computer Object User Interface Mappings
- User Object User Interface Mappings
- Group Object User Interface Mappings
- Organizational Unit User Interface Mappings
TF00024809
Fixed: Outdated names of ActiveRoles Server containers for display specifier
objects are used in the "Display Specifiers" topic in the ActiveRoles Server SDK
and Resource Kit.
TF00025664
Fixed: The ActiveRoles Server SDK and Resource Kit does not provide information
about the FormContext object.
TF00025777
Fixed: Incorrect instructions in the "Configuring Notification" topic in
ActiveRoles Server Help, in the ActiveRoles Server console.
TF00025853
Fixed: Incorrect attribute name ("email" instead of "mail") in the "LDAP Search
Filter Syntax" topic in ActiveRoles Server Help, in the ActiveRoles Server
console.
TF00037811; TF00041210; TF00041211; TF00041212;
TF00041213; TF00041214; TF00041215; TF00041220; TF00041221; TF00041222;
TF00041225; TF00041232
Fixed: Some minor inaccuracies and typos in the printed (PDF) documentation for
ActiveRoles Server.
TF00037935
Fixed: Incorrect (outdated) information on the arssvc.exe command line
parameters in the "Modifying Connection Settings" section in the ActiveRoles
Server Replication Best Practices and Troubleshooting document.
TF00038231
Fixed: Inaccurate syntax in the example of command usage for the CreateDB
command in the "Creating a Management History Database" section in the
ActiveRoles Server Administrator Guide. The database name (the second parameter
of the CreateDB.bat file) should be enclosed in square brackets.
TF00038839
Fixed: The instructions on how to create a custom command, provided by
documentation for the ActiveRoles Server Web Interface, mention an obsolete
parameter - "Function name."
TF00038840
Fixed: Certain default commands are not listed in the "Default Commands" section
in the ActiveRoles Server Web Interface Administrator Guide.
TF00038841
Fixed: Some minor inaccuracies in the ActiveRoles Server Web Interface User
Guide.
TF00038918
Fixed: Incorrect information on the "Sender e-mail address" setting in the
"Configuring E-mail Settings" section in the ActiveRoles Server Administrator
Guide. The document erroneously stated that this setting might not be specified.
Actually, an SMTP server normally requires a valid e-mail address to be provided
there.
TF00039032
Fixed: Outdated screenshots on Web Interface Help pages.
TF00040358
Fixed: Topic "The Command Settings" in the ActiveRoles Server SDK and Resource
Kit provides incorrect information about the AVFilter element: This element is
actually used to enable rather than disable commands on the menu in the Web
Interface.
TF00040365
Fixed: Discrepancies in section titles and incorrect formatting of section
bookmarks in the ActiveRoles Server Administrator Guide.
TF00040807
Fixed: Information about the "Claim group owner" feature of ActiveRoles Server
Self-Service Manager is missing from the ActiveRoles Server Web Interface
documentation.
TF00041342
Fixed: Obsolete section ("Running Web Interface on x64 Operating System") in the
ActiveRoles Server Quick Start Guide.
TF00049076
Fixed: The ActiveRoles Server SDK and Resource Kit does not provide information
about the DeprovisionedProperties property of the IEDSDeprovision interface.
TF00049283
Fixed: The ActiveRoles Server SDK and Resource Kit contains the "Searching by
Effective Permissions" topic whereas ActiveRoles Server does not provide for
this search capability.
TF00049339
Fixed: Inaccurate name of a topic in the ActiveRoles Server SDK and Resource Kit
("Creating an Entry" instead of "Creating an Auto Entry").
TF00050045
Fixed: Inaccuracy in the "IEDSRequestParameters Properties" topic in the
ActiveRoles Server SDK and Resource Kit: The OriginalObject server-defined
variable must be marked as deprecated.
TF00050944
Enhancement: The "Generation of Custom Entry Value" topic added to the
ActiveRoles Server SDK and Resource Kit.
TF00051541
Fixed: Incorrect name of a method of the Cryptography object in the
"Cryptography Object" topic in the ActiveRoles Server SDK and Resource Kit ("Object.Encrypt(ByVal
Str)" instead of "Object.EncryptToString(ByVal Str)")
TF00051856
Fixed: The ActiveRoles Server SDK and Resource Kit does not provide information
about the RefreshSchema method of the IEDM interface.
TF00053795
Fixed: The "IADsPropertyValue" topic in the ActiveRoles Server SDK and Resource
Kit provides information about the following IADsPropertyValue interface methods
that are no longer supported (and thus should be removed from the topic):
- OctetString
- SecurityDescriptor
- LargeInteger
- UTCTime and Clear
TF00054578
Fixed: Topic "IADsPropertyEntry" in the ActiveRoles Server SDK and Resource Kit
provides incorrect information about the IADsPropertyEntry interface: In fact,
this interface can only be used to retrieve data and cannot be used to update
data.
TF00054579
Fixed: The "Intrinsic Objects" topic in the ActiveRoles Server SDK and Resource
Kit contains a hyperlink to a nonexistent topic ("PageForm Object").
TF00054658
Fixed: The ActiveRoles Server documentation does not inform of the following
condition:
In order to manage Exchange recipients (users, groups, or contacts) in an
Exchange Server 2007 Organization, the Administration Service must use the
service account rather than an override account to access every domain that
holds the Exchange recipients to manage.
TF00055172
Fixed: The ActiveRoles Server Quick Start Guide does not provide information on
how to configure the Administration Service account for ActiveRoles Server to be
able to perform the Move Mailbox task on Exchange Server 2007.
TF00055435
Fixed: A list of the IIS 7.0 Web Server role services required by the
ActiveRoles Server Web Interface is missing from the System Requirements section
in the ActiveRoles Server Release Notes document.
This section provides a list of the currently known issues that customers may experience with ActiveRoles Server version 6.1.0. For each issue, the list includes an ID number, which identifies the issue, a brief description of the problem, and a workaround, if any exists, for the problem. The list is divided by component so that the issues related to each individual component of the product are grouped together:
TF00018149
When installing the Administration Service, you may encounter the following
error: "A short NETBIOS name should be used for connection to SQL Server. See
Release Notes.htm file, "known issues" section for details."
This error occurs in any of the following cases:
Case 1. A data loss occurred in SQL Server system tables
Case 2. The computer running the SQL Server instance was renamed
Case 3. You have used an alias to identify the SQL Server instance
To determine which case you have encountered, run the following two queries on
the SQL Server instance that you specified when installing the Administration
Service (enter these queries "as is," without making any substitutions for the 'servername'
parameter):
select @@servername
select serverproperty('servername')
Examine the results returned by these queries:
1. If "select @@servername" returns NULL, you have encountered Case 1.
2. If "select @@servername" and "select serverproperty('servername')" return
different non-null values, you have encountered Case 2.
3. If "select @@servername" and "select serverproperty('servername')" return the
same non-null value, you have encountered Case 3.
WORKAROUND
Use the following instructions, depending on the case you have encountered, and
then re-run the Setup program to install the Administration Service.
Case 1:
Run the following query against the Master database on the SQL Server instance
in question, and then restart the SQL Server instance:
declare @sn sysname
select @sn = cast(serverproperty('servername') as sysname)
exec sp_addserver @sn, 'local'
Case 2:
Run the following two queries in succession against the Master database on the
SQL Server instance in question, and then restart the SQL Server instance:
exec sp_dropserver @@servername, 'droplogins'
declare @sn sysname
select @sn = cast(serverproperty('servername') as sysname)
exec sp_addserver @sn, 'local'
Case 3:
Use the following syntax to identify the SQL Server instance when installing the
Administration Service:
"computername" - for the default instance
"computername\instancename" - for a named instance
In this syntax: "computername" stands for the NetBIOS name of the computer
running SQL Server; "instancename" stands for the name of the SQL Server
instance.
TF00024066
When upgrading the Administration Service from version 5.x to version 6.x with
the migration option selected in the Installation Wizard, you may encounter the
following problem: At the end of the installation process, the Setup program
requires that the computer be restarted.
WORKAROUND
You can avoid having to restart the computer as follows: Prior to running the
Installation Wizard, stop the Administration Service that you are going to
upgrade. To stop the Administration Service version 5.x, enter the following
command at a command prompt on the computer running that Service: net stop
edmsvc
TF00024475
If the ActiveRoles Server Language Pack and Administration Service are installed
on the same computer, uninstalling the Administration Service on that computer
prior to uninstalling the Language Pack causes the following problem: When
attempting to uninstall the Language Pack, you encounter "Error 1920: Service
'ArsSvc' (ArsSvc) failed to start. Verify that you have sufficient privileges to
start system service." As a result, the Language Pack cannot be uninstalled
since the Setup program requires the Administration Service.
WORKAROUND
Install the Administration Service, uninstall the Language Pack, and then
uninstall the Administration Service.
TF00025903
Incorrect behavior of the Web Interface Setup program: Clicking Cancel in the
Web Interface Installation Wizard and then clicking "Exit Setup" may not cancel
the installation process.
WORKAROUND
Wait until the Setup program has completed the installation, and then use the
Add or Remove Programs tool in Control Panel to un-install the Web Interface.
TF00037391
When installing the Administration Service on a Windows Server 2008 based
computer, you may encounter the following error: "Error 1920. Service 'Quest
ActiveRoles Administration Service' (ArsSvc) failed to start. Verify that you
have sufficient privileges to start system services."
WORKAROUND
Do not close the error message box. Use the Services tool to manage the service
named Quest ActiveRoles Administration Service: On the Log On tab in the
Properties dialog box for that service, specify the logon name and password of
the account that you want the service to log on as, and click Apply; then, go to
the General tab, and click Start. Once the service has been started, click Retry
in the error message box that was displayed by the Administration Service Setup
program.
TF00055500
When installing the Administration Service with the option to import data from
an existing ActiveRoles Server database (source database), you may receive the
following error message: "The newsequentialid() built-in function can only be
used in a DEFAULT expression for a column of type 'uniqueidentifier' in a CREATE
TABLE or ALTER TABLE statement. It cannot be combined with other operators to
form a complex scalar expression." The problem may occur if the source database
is hosted by SQL Server that holds the Publisher role in the ActiveRoles Server
replication environment.
WORKAROUND
First, you need to remove the source database from ActiveRoles Server
replication. This can be done in any of the following two ways.
1. If you have an Administration Service instance up and running that uses the
source database, then you can connect to that Administration Service instance
using the ActiveRoles Server console and break the ActiveRoles Server
replication group by removing all Subscribers and then demoting the Publisher.
This will ensure that the source database is in "stand-alone" state.
2. Create a backup of the original source database and then restore the backup
on the same SQL Server instance, choosing a different database name. When
performing the restore, ensure that the KEEP_REPLICATION key ("Preserve the
replication settings" option) is not used (this option is not selected by
default). The database you restored from the backup becomes your new source
database, which again is in "stand-alone" state.
Next, run the following SQL script against the source database (you can run a
SQL script using native tools such as SQL Server Management Studio). Then, run
the Installation Wizard to install the Administration Service, importing data
from the source database you have prepared.
-- Beginning of TF00055500 script --
if (select
top 1 MajorDBVersion from Settings) = 403 and
(select object_id('RestoreConstraints')) is not null
drop proc RestoreConstraints
go
create proc RestoreConstraints
as
begin
declare curConstraints cursor fast_forward for
select
object_name(dc.parent_object_id) as TableName,
c.name as ColName,
dc.name as ConstName
from
sys.default_constraints dc
inner join sys.columns c on dc.object_id = c.default_object_id
where
definition = '(newsequentialid())'
declare @TableName sysname
declare @ColName sysname
declare @ConstName sysname
open curConstraints
fetch curConstraints into @TableName, @ColName, @ConstName
while @@fetch_status = 0
begin
begin try
exec ('alter table ' + @TableName + ' drop constraint ' + @ConstName)
exec ('alter table ' + @TableName + ' add constraint ' + @ConstName + '
default newid() for ' + @ColName)
end try
begin catch
end catch
fetch curConstraints into @TableName, @ColName, @ConstName
end
end
go
exec RestoreConstraints
go
-- End of TF00055500 script --
TF00055582
When installing the ActiveRoles Server Web Interface, you may receive the
following error message in the Installation Wizard: "MsiExec.exe - Bad Image:
The application or DLL <Local Path>\<File Name>.tmp is not a valid Windows
image."
WORKAROUND
You can safely ignore this error message. Click OK in the error message box to
let the Setup program continue the installation process.
TF00011990
The Administration Service does not support querying for more than 200 different
Custom Stored Virtual Attributes (CSVAs) within a single search request. When
you query for more than 200 different CSVAs within a single search request so
that the request is configured to retrieve the values of those attributes, you
may experience performance degradation in the Administration Service and your
query may return incorrect results.
WORKAROUND
If you need to query for a large number of CSVAs (so as to have your search
request retrieve the values of those attributes), perform multiple search
requests with a smaller number of attributes involved in each request. For best
performance, a single search request should not query for more than 32 different
CSVAs.
TF00018378
The Administration Service incorrectly evaluates the delegated rights of the
user account in the following scenario:
- An organizational unit (OU) is configured so that a given user account is set
as the manager of the OU (the Managed By property of the OU is assigned the DN
of the user account).
- The ActiveRoles Server security settings on the OU are configured so that the
"Managed By" built-in account has full control of the OU.
In this scenario, ActiveRoles Server does not permit the user account to modify
objects in the OU. The expected behavior is as follows: since the user account
is set as the manager of the OU, and full control of the OU is delegated to the
"Managed By" account, the user account has full control of the OU and all
objects held in the OU. The same issue occurs in the situation where a group is
set as the manager.
WORKAROUND
Configure the ActiveRoles Server security settings on the OU so that the
appropriate rights (for example, full control) are delegated to the user account
(or group) itself rather than the "Managed By" account.
TF00018419
The default Exchange mailbox store in which the Administration Service creates
user mailboxes may differ from the mailbox store that Microsoft's native tools
select for the mailbox creation operation by default.
WORKAROUND
When you use ActiveRoles Server to create a new mailbox-enabled user or create a
mailbox for an existing user, verify the mailbox store selection, and choose the
appropriate store if necessary. Another option is to configure and apply an
Exchange Mailbox AutoProvisioning policy that would automatically choose the
appropriate mailbox store.
One more option is to configure and apply a script-based policy that would use
the onGetEffectivePolicy handler to set the appropriate default value on the
homeMDB attribute, which specifies the mailbox store:
Sub onGetEffectivePolicy(Request)
Request.SetEffectivePolicyInfo "homeMDB", EDS_EPI_UI_GENERATED_VALUE,
array(<desired value>)
End Sub
TF00018898
The SQL Server database mirroring feature is not supported by the Administration
Service: When the principal SQL Server goes offline and a mirror SQL Server
takes over the principal SQL Server role, the Administration Service is expected
to fail over to the new SQL Server. In this scenario, the Administration Service
may fail to connect to the database.
WORKAROUND
Once connection to the database has failed, modify the Administration Service
database connection parameters using the steps below, so as to have the
Administration Service connect to the database on the SQL Server instance that
is currently active.
1. Stop the Administration Service (net stop arssvc).
2. From a command prompt in the folder that holds the Administration Service
binaries (%ProgramFiles%\Quest Software\ActiveRoles Server\), run arssvc.exe
with the command line parameters composed as appropriate based on the following
syntax:
arssvc.exe /DBServerName <Instance> /DBName <Name> /DBAuthenticationMode 0 | 1 /DBLogin
<Login> /DBPassword <Password> /dbMHServerName <Instance> /dbMHName <Name> /dbMHAuthenticationMode
0 | 1 /dbMHLogin <Login> /dbMHPassword <Password>
In this syntax:
/DBServerName <Instance> - SQL Server instance that hosts the Configuration
database
/DBName <Name> - Name of the Configuration database
/DBAuthenticationMode 0 | 1 - Use SQL Server (0) or Windows (1) authentication
when connecting to the Configuration database
/DBLogin <Login> - SQL Server login to use when connecting to the Configuration
database with SQL Server authentication
/DBPassword <Password> - Password of the SQL Server login specified in the /DBLogin
parameter
/dbMHServerName <Instance> - SQL Server instance that hosts the Management
History database
/dbMHName <Name> - Name of the Management History database
/dbMHAuthenticationMode 0 | 1 Use SQL Server (0) or Windows (1) authentication
when connecting to the Management History database
/dbMHLogin <Login> - SQL Server login to use when connecting to the Management
History database with SQL Server authentication
/dbMHPassword <Password> - Password of the SQL Server login specified in the /dbMHLogin
parameter
For example, with both Configuration and Management History data stored in the
same database named ARServer61 (this is the default topology), the command
syntax would be:
arssvc.exe /DBServerName MySQLServer /DBName ARServer61 /DBAuthenticationMode 1
/dbMHServerName MySQLServer /dbMHName ARServer61 /dbMHAuthenticationMode 1
3. Start the Administration Service (net start arssvc).
TF00022786
When using the "Handle changes from DirSync control" option in a script-based
policy, you may encounter the following problem: The policy does not execute the
onPostDelete handler. This problem occurs if the Policy Object containing the
policy in question is applied (linked) to an organizational unit.
WORKAROUND
Apply the Policy Object to a domain rather than to an organizational unit.
TF00022925
ActiveRoles Server may fail to update a Dynamic Group with large membership if
InTrust for Active Directory is installed on the domain controller performing
the update. In this case, the LSASS.exe process on the domain controller may
consume a large amount of memory. In addition, the EDM Server event log may
contain Warning events with the following description: "Not enough storage is
available to complete the operation."
This problem occurs if all of the following conditions are true:
- There is a Dynamic Group that includes 2000 members or more.
- The "Built-in Policy - Dynamic Groups" policy is configured either to
disallow nested groups (the "Create nested groups to accommodate extra members"
check box is cleared) or to allow more than 2000 members per group.
- Quest InTrust for Active Directory is installed on the domain controller used
by the Administration Service to update the membership list of the group in
question.
WORKAROUND
Use the ActiveRoles Server console to configure the "Built-in Policy - Dynamic
Groups" Policy Object as follows:
1. Locate the "Built-in Policy - Dynamic Groups" Policy Object in the
"Configuration/Policy Objects/Builtin" container, and display the Properties
dialog box for that Policy Object.
2. On the Policies tab, select the policy entry from the list, and click the
"View/Edit" button.
3. On the "Policy Settings" tab, select the "Create nested groups to
accommodate extra members" check box and specify a number less than 2000 in the
"Maximum number of members per group" box.
TF00022929
When attempting to connect to a remote Administration Service using explicit
credentials, you may encounter error messages providing no details on the error
situation. Thus, in the ActiveRoles Server console, when you use the "Connect
As" option in the "Change Administration Service" dialog box, the console may
fail to establish a connection, returning an error such as the following:
- IDispatch error #xxxx
- Unknown error 0x8013xxxx
This problem may occur if all of the following conditions are true:
- You are attempting to connect to a remote Administration Service, or to
assign the Subscriber role to a remote Administration Service.
- You have used the "Connect As" option in the "Change Administration Service"
dialog box, and specified a different user name and password in the "Connect As"
dialog box.
- You do not have sufficient permissions to connect to the Administration
Service without specifying a different user name and password. For example, the
domain of your user account is not trusted by the domain of the Administration
Service computer.
In this case, the console is unable to retrieve the correct error descriptions
from the Administration Service. As a result, only the error codes are
displayed.
WORKAROUND
Use the following steps to add the user name and p